Closed
Bug 1134560
(CVE-2015-0804)
Opened 9 years ago
Closed 9 years ago
Type confusion in HTMLSourceElement::BindToTree
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
firefox36 | --- | wontfix |
firefox37 | + | fixed |
firefox38 | + | fixed |
firefox39 | + | fixed |
firefox-esr31 | --- | unaffected |
b2g-v1.4 | --- | unaffected |
b2g-v2.0 | --- | unaffected |
b2g-v2.0M | --- | unaffected |
b2g-v2.1 | --- | disabled |
b2g-v2.1S | --- | disabled |
b2g-v2.2 | --- | disabled |
b2g-master | --- | fixed |
People
(Reporter: nils, Assigned: longsonr)
References
Details
(Keywords: sec-critical, Whiteboard: [adv-main37+])
Attachments
(2 files)
When binding a <source> element to a tree the functions checks for any siblings of the type <img>. It fails to validate the namespace and only checks for the tag name: if (aParent && aParent->IsNodeOfType(nsINode::eMEDIA)) { HTMLMediaElement* media = static_cast<HTMLMediaElement*>(aParent); media->NotifyAddedSource(); } else if (aParent && aParent->Tag() == nsGkAtoms::picture) { // Find any img siblings after this <source> and notify them nsCOMPtr<nsINode> sibling = AsContent(); while ( (sibling = sibling->GetNextSibling()) ) { if (sibling->Tag() == nsGkAtoms::img) { HTMLImageElement *img = static_cast<HTMLImageElement*>(sibling.get()); img->PictureSourceAdded(AsContent()); } } } This can result in a type confusion. See attached testcase which demonstrates the issue. ASan detects this issue as a use-after-free (output attached). This vulnerability can also be triggered on the stable release version of Firefox without <picture> being enabled as the check in the code only validates the tag name. The testcase on crashes on Windows accessing on mapped memory during garbage collection.
Assignee | ||
Updated•9 years ago
|
Assignee: nobody → longsonr
Updated•9 years ago
|
Flags: sec-bounty?
Updated•9 years ago
|
Keywords: sec-critical
Updated•9 years ago
|
status-firefox36:
--- → wontfix
status-firefox37:
--- → affected
status-firefox38:
--- → affected
status-firefox39:
--- → affected
status-firefox-esr31:
--- → unaffected
tracking-firefox37:
--- → +
tracking-firefox38:
--- → +
tracking-firefox39:
--- → +
Updated•9 years ago
|
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Updated•9 years ago
|
Updated•9 years ago
|
status-b2g-v1.4:
--- → unaffected
status-b2g-v2.0:
--- → unaffected
status-b2g-v2.0M:
--- → unaffected
status-b2g-v2.1:
--- → disabled
status-b2g-v2.1S:
--- → disabled
status-b2g-v2.2:
--- → disabled
status-b2g-master:
--- → fixed
Updated•9 years ago
|
Flags: sec-bounty? → sec-bounty+
Updated•9 years ago
|
Whiteboard: [adv-main37+]
Updated•9 years ago
|
Alias: CVE-2015-0804
Updated•8 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•